On Friday 29 October 2004 21:02, martin f krafft wrote:
> We are using LDAP to manage our cluster and have modified the
> /etc/nsswitch.conf file accordingly. For instance, the line for user
> accounts reads:
>
> passwd: ldap files
Me too. And everything is working well here. There are a number of things
that seem to make a difference with ldap:
* nsswitch.conf
* your PAM settings
* nscd
You've already got the nsswitch right. I've attached
my /etc/pam.d/{common-*,kdm) files for you. I suspect that installing nscd
will make your problem go away. nscd acts as a nice root-priviliged buffer
between getpwnam() calls and ldap. With nscd not running normal users are
unable to do lookups ("getent passwd" will confirm), but once nscd is running
everthing seems to be hunky dory.
Hope that helps.
Andy
--
Andy Parkins
Technical Director email: andyp@leaseline.plus.com
Leaseline Systems Limited tel: +44 (0)151 652 5551
Unit 31, Price Street Business Centre fax: +44 (0)151 652 9983
Birkenhead, CH41 4JQ
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # account sufficient pam_ldap.so account required pam_unix.so
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth sufficient pam_ldap.so auth required pam_unix.so try_first_pass
# # /etc/pam.d/kdm - specify the PAM behaviour of kdm # # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. @include common-auth @include common-account @include common-password @include common-session auth required pam_nologin.so auth required pam_env.so session required pam_limits.so
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be #used to change user passwords. The default is pam_unix password sufficient pam_ldap.so password required pam_unix.so md5
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so
Attachment:
pgpkkAOLoxg7O.pgp
Description: PGP signature